Inside | Real news, curated by real humans
Inside Security

Inside Security (Jul 7th, 2016)

We're giving away a ticket to Defcon. Enter here to win!
David’s Take

Botnets of webcams, building better mobile app wrappers, trying to stamp out a major Microsoft Office Word/Excel bug that just doesn’t want to go away, and more on ATM skimmers along with some summer fun too.

We'd love to hear from you – have you experienced any other MS Office exploits lately?

-- David Strom, editor of Inside Security
New and noteworthy product
 
This new product allows users to combine the fast, scalable machine learning algorithms with the capabilities of Apache Spark. While not specifically a security product, the idea is to apply math and predictive analytics to solve today’s most challenging business problems, and make it easier to incorporate large big data sets too.  –H2O.AI
 
Threats and attacks
 
This botnet DDOS attack is unusual in that it leveraged only webcams spread out across more than 10 countries and tens of thousands of IP addresses for the source of the attacks. The defenders talk about how they figured this out and once again remind us to update our IoT device firmware and network settings.  -- SUCURI BLOG
 
Have you checked your webcams and other embedded devices lately to make sure they haven’t been compromised?
 
Here is a bug that has been around for four years and responsible for nearly half of Microsoft Office exploits. It works by compromising Word and Excel documents to allow arbitrary code execution. It is examined in detail by a security researcher, including how it actually works and how it evades detection. – NAKED SECURITY
Helpful tips
 
Here is an interesting interview with a former NSA employee who shared some of his hacking interests and motivations. It is a reminder that there is no safe Internet haven, and that everything can be turned into an attack surface eventually.  – THE INTERCEPT
 
What new things did you learn from this interview?
 
This is a good summary of how you can incorporate app container and wrapping security into your overall mobile app development toolbox. By creating these “safe havens” for data you can isolate potential infections or misuse and also keeping the overall user experience high. App wrapping can add encryption and step-up to VPNs when needed. -- SEARCHSECURITY
 
Any particular app wrapping tools you would recommend?
 
Self Serving Dep't
 
There is a lot of great information in this analysis of the recent Bangladeshi SWIFT hack that is worth reviewing, including knowing how you can identify intruders from digital footprints, patch and pray is still not a strategy, and why identity and access management is more important. -- TRIPWIRE BLOG
 
What strategies are you using to better identify and contain intrusions?
 
While somewhat self-serving, this blog post offers up a nice collection of suggestions on how to make your network more difficult to penetrate, such as by using file integrity monitoring solutions, database profiling and a database firewall, enforcing host based access controls.  – IMPERVA BLOG
 
My review of 10 endpoint detection and remediation products shows a growing sophistication and subtlety into how we try to stay ahead of the malware creators. In this hands-on test, I look at coverage beyond ordinary Windows endpoints, the various agent/agentless approaches, what kinds of virus feeds and integrations with event logs are available and whether the products can be used in real time or not.  -- NETWORK WORLD

 
Bug Bounties
 
The DoD bug bounty program has inspired another federal agency to put together its own program, which could be up and running later this year.  The Department of Health and Human Services is looking at ways to improve security for both medical devices and electronic medical records. The challenge will be in how the vulnerabilities are shared and fixed once identified.– FEDERAL TIMES
 
What advice would you give to the government to run effective bounty programs?

Just for fun

 
We celebrate our nation’s independence (the above is just some of the aftermath on a local Maryland beach) and we also must mark the day as the time to turn off THOMAS. As in the 20+-year-old Library of Congress database. Back in the mid-1990s you would be able to search for full-text legislation when the web was young and many people still used Gopher and Archie protocols. Many of us recall with fondness and frustration the old system, and you can get a look back to those times here. – LIBRARY OF CONGRESS BLOG
 
Thanks to Brian Krebs we are all a little bit more aware of ATM skimmers that can read our bank cards when we think we are just using an ordinary ATM machine. This video shows you how to approach any ATM machine these days and make sure that someone hasn’t added a skimmer to the machine, and exactly what one of these beastly things looks like, down to the transparent cover and well-placed electronics. -- HACKER NEWS
Not surprisingly, a study of TV-related Tweets by social analytics company Canvs found that feelings of hate lead to up to three times bigger increases in viewership the following week for drama and reality shows. Maybe Taylor Swift was right. – ADWEEK
 
How likely are you to recommend Inside Security to a friend or colleague?

          
More from Inside
 
Inside Security is just one of Inside's network of newsletters. Here are some others you might like:

Inside VR & AR: Diving deep into the virtual/augmented reality products, companies, communities, and news. (2x/week)

Inside Electric Vehicles: From Tesla to Faraday Future to the big car manufacturers, we're tracking everything in the EV industry. (2x/week)

Inside Daily Brief: A roundup of all the most interesting news, across verticals. (2x/day)

ReadThisThing: One link to a fascinating piece of journalism, daily.
 
Copyright © 2016 Inside, All rights reserved.


You're receiving this email because you are subscribed to Inside Security. If you don't want to receive it anymore, go ahead and unsubscribe – or just hit reply and tell us how to make it better.

Subscribe to Inside Security